Browser Forensic Tools 


With the help of Browser Forensics and with the assistance of forensics tools one can 
extract sensitive data and chosen keywords from most web browsers. One can retrieve 
deleted data and keywords, check whether history was cleared, retrieve artifacts like 
Cookies, Downloads data, History, Saved Password, websites visited etc. Also, it helps 
a lot to understand how an attack on a system was conducted, helping in finding the 
source of Malwares/ Adware / Spywares, Malicious Emails and Phishing Websites etc. 


1. Chrome-Cache-View- 


Chrome Cache View is a small utility that reads the cache folder of Google Chrome 
Web browser, and displays the list of all files currently stored in the cache. 


Usage/advantages- 


o Information for cache file are displayed as - URL, Content type, File size, Last 
accessed time, Expiration time, Server name, Server response, and more. 

o You can select and export one or more cache files from the list, 

Copy the URL list and the entire table of cache files to excel spreadsheet. 

o You can also extract and save the actual files from the cache. 


oO 


The Location of Chrome Cache Folder- 
The cache folder of Google Chrome — 


C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default\Cache 
Download chrome-cache-view from — 


https://www.nirsoft.net/utils/chrome_cache_view.html 


Copy the executable file (ChromeCacheView.exe) to the destination folder and run it. 
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The main window displays the list of files currently stored in the cache of the default 
Google Chrome user. 
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Information gathered — file name, URL, timestamp, website, server time, IP address etc. 


To extract files from cache simply click f4 or right click and choose “open selected 
cache file”- 
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Commands — 


“/stext <Filename>”- 


To save the list of all cache files and with their details into a regular text file. 
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/stab <Filename> - 


To save the list of all cache files into a tab-delimited text file (details shown line-by-line). 
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/scomma <Filename> - 


To save the list of all cache files into a comma-delimited text file. 


/stabular <Filename> - 


To save the list of all cache files into a tabular text file. 


/shtml <Filename> - 


To save the list of all cache files into HTML file (Horizontal). 


/sverhtml <Filename> - 


To save the list of all cache files into HTML file (Vertical). 


/sxml <Filename> - 


To save the list of all cache files to XML file. 
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a © Users/HP/Downloads/chromecacheview/1.€ * GaG@enea a : 


<!IDOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> 

<html><head><title>Chrome Cache</title></head> 

<body> 

<h3>Chrome Cache</h3> 

<br><h4>Created by using <a href="http://www.nirsoft.net target="newwin">ChromeCacheView</a></h4><p><table border="1" cellpadding="5"> 
<tr><td bgcolor="EQE0E0" nowrap><b>Filename</b><td bgcolor=#FFFFFF nowrap>w3840-h2160-p-k-no-nd-mv.jpeg 

<tr><td bgcolor="EQ0E0E0” nowrap><b>URL</b><td bgcolor=#FFFFFF 

nowrap>https://Ih4.googleusercontent.com/proxy/UOhQwfclsAK8 TnXZqgoTkh9szHvY OJ3auDHO7hZBZeVaaRWvzGaxXpaYI60MfCRuW_SS7gvzBw859pjSxXi2pw_GpfG8k2GhESLUFNKwA=w3840- 
h2160-p-k-no-nd-mv 

<tr><td bgcolor="EQE0E0" nowrap><b>Content Type</b><td bgcolor=#FFFFFF nowrap>image/jpeg 

<tr><td bgcolor="EQE0E0" nowrap><b>File Size</b><td bgcolor=#FFFFFF nowrap>1,095,750 

<tr><td bgcolor="EQE0E0" nowrap><b>Last Accessed</b><td bgcolor=#FFFFFF nowrap>08-Apr-23 4:27:51 PM 

<tr><td bgcolor="EQEQE0" nowrap><b>Server Time</b><td bgcolor=#FFFFFF nowrap>07-Apr-23 7:57:45 PM 

<tr><td bgcolor="EQEOE0” nowrap><b>Server Last Modified</b><td bgcolor=#FFFFFF nowrap>01-Jan-01 5:30:00 AM 

<tr><td bgcolor="EQE0E0" nowrap><b>Expire Time</b><td bgcolor=#FFFFFF nowrap>08-Apr-23 7:57:45 PM 

<tr><td bgcolor="EQEOQE0” nowrap><b>Server Name</b><td bgcolor=#FFFFFF nowrap>fife 

<tr><td bgcolor="EQEOE0” nowrap><b>Server Response</b><td bgcolor=#FFFFFF nowrap>HTTP/1.1 200 

<tr><td bgcolor="EQEOE0" nowrap><b>Web Site</b><td bgcolor=#FFFFFF nowrap>chrome://new-tab-page 

<tr><td bgcolor="EQE0E0" nowrap><b>Frame</b><td bgcolor=#FFFFFF nowrap>chrome-untrusted://new-tab-page 

<tr><td bgcolor="E0E0E0" nowrap><b>Content Encoding</b><td bgcolor=#FFFFFF nowrap>&nbsp; 

<tr><td bgcolor="EQEOE0” nowrap><b>Cache Name</b><td bgcolor=#FFFFFF nowrap>f_00591b 

<tr><td bgcolor="EQEOE0" nowrap><b>Cache Control</b><td bgcolor=#FFFFFF nowrap>public, max-age=86400, no-transform 
<tr><td bgcolor="EQEOE0" nowrap><b>ETag</b><td bgcolor=#FFFFFF nowrap>&nbsp; 

<tr><td bgcolor="EQE0E0" nowrap><b>Server IP Address</b><td bgcolor=#FFFFFF nowrap>142.250.76.161 

<tr><td bgcolor="EQEOE0” nowrap><b>URL Length</b><td bgcolor=#FFFFFF nowrap>167 

<tr><td bgcolor="EQ0E0E0" nowrap><b>Deleted File</b><td bgcolor=#FFFFFF nowrap>No 

</table><p> 

<table border="1" cellpadding="5"> 

<tr><td bgcolor="EQE0E0" nowrap><b>Filename</b><td bgcolor=#FFFFFF nowrap>hi=en-US&amp;async=fixed_0.json 
<tr><td bgcolor="EQEQE0" nowrap><b>URL</b><td bgcolor=#FFFFFF nowrap>https://www.google.com/async/newtab_ogb?hl=en-US&amp;async=fixed:0 
<tr><td bgcolor="EQEQE0" nowrap><b>Content Type</b><td bgcolor=#FFFFFF nowrap>application/json 


/copycache <URL> <Content Type> - 
Copy files from the cache. 


In the <URL> parameter, you can specify the URL of the Web site (for example: 
http://www.nirsoft.net) or empty string ("") if you want to copy files from all Web sites. 


In the <Content Type> parameter, you can specify full content type (like image/png), 
partial content type (like 'image') or empty string ("") if you want to copy all types of files. 
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| > ThisPC > Downloads > chromecacheview > CacheFiles 


\m) 1-82 
(m] emoji_u2764 
ersonal (a) favicon_144x144 
|m| favicon_144x144~1 
\@) favicon_144x144~2 


(m] favicon_144x144~3 


Here | specified the URL of YouTube and the file type is image, the command copied all 
the images associated with the URL. 


2. Dumpzilla 


Dumpzilla is a browser forensic command line tool it works on Windows,Mac and Linux. 
It comes pre-installed in our Kali Linux machine. We can get browser's passwords, 
history, bookmarks, cookies, extensions, sessions, permissions, downloads etc. 


Dumpzilla is written in Python3 and it can extract all forensic interesting information of 
browser like firefox. 


Features and uses- 
Dumpzilla can collect information of following: 


e Cookies + DOM storage (HTML5) 

e Downloads 

e Web forms 

e History 

e Offline Cache 

e Thumbnail Extraction 

e Addons / Extensions and used path or URLs. 
e Browser saved passwords 

e SSL certificates added as a exception 

e Session data 

e Visualize live user surfing, URL used in each tab 
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In Firefox, browser's saved data in profiles, to extract the data for forensic we use 
dumpzilla. Here we need to know the path of default profile. Different operating system 
have different path, here we are using kali- 


Linux or UNIX profile path 
/home/$USER/.mozilla/firefox/xxxx.deafult 


Download the tool from the official website or from github page. 


Firstly we will check the profile- 


~ 


/home/kali/.mozilla/ firefox 


wast a caret Bia t 


~ 


Downloads 


Now we will run the commands to get information from the browser, 


Here we are checking all the downloads- 
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~ 


/home/kali/.mozilla/firefox/bc40t7pc.default-esr 


Directories 


= Source file: /home/kali/.mozilla/firefox/bc40t7pc.default-esr/content-prefs.sqlite 
SHA256 hash: 9f82ad8620da1e921fd7a9e742806e0d343 fae2b14a968482b06e9add83af72F 


data found! 


Downloads history 


= Source file: /home/kali/.mozilla/firefox/bc40t7pc.default-esr/places.sqlite 
= SHA256 hash: d879abed3caee53327ed3eebcae85bea24f14656e989dF82cc669Fa87c499cbc 


Date: 2023-03-28 14:23:47 
URL: https: //download.winzip.com/gl/oemg/winzip26-mf.exe 
Name: file: ///home/kali/DownLoads/winzip26-mf(1).exe 


Date: 2023-03-28 14:25:08 
URL: https: //download.winzip.com/gl/nkLn/winzip27-downwz.exe 
Name: file: ///home/kali/DownlLoads/winzip27-downwz.exe 


Date: 2023-03-28 14:27:22 
URL: https: //ww.7-zip.org/a/7z2201-x64.exe 
Name: file: ///home/kali/Downloads/7z2201-x64.exe 


Date: 2023-03-29 01:19:53 
URL: :// ww .win-rar.com/fileadmin/winrar-versions/rarlinux-x64-621.tar.gz 
Name: file: ///home/kali/Downloads/rarlinux-x64-621.tar.gz 


Date: -@3-29 01:27:12 
URL: //files.sempersecurus.org/dumps/cridex_memdump. zip 
Name: file: ///home/kali/Downloads/cridex_memdump. zip 


Date: 2023-03-29 01:33:02 
URL: https: //downloads.volatilityfoundation.org/volatility3/symbols/Linux.zip 
Name: file: ///home/kali/Downloads/Linux.zip 


Date: 2023-03-29 07:29:41 
URL: https: //codeload.github.com/ytisf/theZoo/zip/refs/heads/master 
Name: file: ///home/kali/Downloads/theZoo-master.zip 


Date: 2023-03-29 08:02:13 
URL: https: //ww.winitor.com/tools/pestudio/current/pestudio.zip 
Name: file: ///home/kali/Downloads/pestudio. zip 


Date: 2023-03-29 08:03:24 


If we want we can save the information in a text file- 


admin/winrar sions/rarlinu. 
rlinux-x64 1.tar 


memdump.zip 


-zip 


codeload.github 
/kali/Downl 


-29 08:02:13 
ww .winit 
kali 


08:03:24 
URL inmd5 
Name 0 é 


va 
ho 
9 0 


softpedia-— r' ) com/dl 5b26 5 b - i: 0 software/progr /PEiD-0.< 
PEiD-O® 


Total 
Total Downloads 


/home/kali/.mozilla/firefox/bc40t7pc.default-esr output.txt 


/nome/kali/.mozilla/firefox/besot7pc.default-esr 


We can get information about all the cookies stored, 


File Actions Edit View Help 


/home/kali/.mozilla/firefox/bc40t7pc.default-esr 


Cookies 


Source file: /home/kali/.mozilla/firefox/bc40t7pc.default-esr/cookies.sqlite 
SHA256 hash: 11a717e35a6ba35f9054ae648b fddde97 f355d7e8dad1b43cc50ea5641F19b16 


Host: .github.com 
Name: _octo 

Value: GH1.1. 481563044. 1680026420 
Path 

Expiry: 2024-03-28 14 

Last Access: 2023-0: 

Creation Time: 2023-03-28 14:00:19 
Secure: Yes 

HttpOnly: No 


Host: .github.com 
logged_in 


2024-03-28 14:00:20 

Last Access: 2023-03-29 08:02:03 
Creation Time: 2023-03-28 14:00:19 
Secure: Yes 

HttpOnly: Yes 


Host: ww .google.com 
Name: OTZ 

Value: 6962047_72_76_104100_72_446760 
Path 

Expiry: 2023-04-27 14:0 

Last Access: 202 

Creation Time 

Secure: Yes 

HttpOnly: No 


Host: .digitalitskills.com 

Name: _ga 

Value: GA1.2.2128369636 . 1680026849 
Path: / 

Expiry: 

Last Access 

Creation Time 

Secure: No 

HttpOnly: No 


Host: .digitalitskills.com 


Name: _gid 
Value: GA1.2.263920127. 1680026849 


la /home/kali/.mozilla/firefox/bc40t7pc.default-esr 


Search Engines 


Source file: /home/kali/.mozilla/firefox/bc40t7pc.default-esr/search. json.mozlz4 
SHA256 hash: 3a99c56a249f169ad327d0347194c8ed5206e99d2a6fd7646e40b2bbba40e4d6 


Name: Google 
Description: 
Path: 


Name: Wikipedia (en) 
Description: 
Path: 


Name: Bing 
Description: 
Path: 


Name: DuckDuckGo 
Description: 
Path: 


Name: Amazon.com 
Description: 
Path: 


= Total Information 


Total Search Engines 
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All the pages that has been bookmarked- 


/home/kali/.mozilla/firefox/bc40t7pc.default-esr 


Source file L c40t7pc.defau ces.sqlite 
SHA256 hash: d879abed3caee53327ed3eebcae85bea24Ff14656e989dF82cc669Fa87c499cbc 


li Fa eb/homepage. html 


st Modified: 


Title: menu 
UR http 
Creation Ti 

L Modified: 


Title: tool 
https: //ww. 
tion Tim 

Last Modified: 


Title: mobil 

URL: https: z ethunter/ 
Creation Time: 2 1 

Last Modified 


Title: Kali Linu 

URL: https:/ ploit-db.co 
Creation Time: 23-03-2 
Last Modified: 23-03 


Title: Kali Tools 
UR https: 
tion Tim 
Modifie 


Title: Kali Docs 
URL: http u.offensive-security.com/ 


3. Hindsight- 


Hindsight is an internet history forensics for Google Chrome browser. 
Hindsight is a free tool for analyzing web artifacts. 
Uses — 


Hindsight is an open-source tool that has been used to analyze or investigate web 
artifacts and used to correlate the root cause or origination of intrusion. 


Features- 


e lt starts with the browsing history of the Google Chrome web browser and has 
expanded to support other chrome-based applications. 


e Hindsight can parse a number of different types of web artifacts, including URLs, 
download history, cache records, bookmarks, auto fill records, saved passwords, 
preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 
cookies). 


e Once the data is extracted from each file, it is correlated with data from other history 


files and placed in a timeline. 


The tool can be downloaded from the github page, we can download the executable 
files from the release page- 


https://github.com/obsidianforensics/hindsight/releases/tag/v2023.03 


Run the executable file and this interface will appear- 


\4 C:\Users\HP\Downloads\hindsight_gui.exe 


|__/ v2023.03 


Hast tssssstseesssss tse cssssae tte tess tte edd sted sts ess settee 


Bottle v@.12.25 server starting up (using WSGIRefServer())... 
Listening on http://localhost:8080/ 
Ctrl-C to quit. 
-@.1 - / HTTP/1.1" 200 19208 
/static/styles.css HTTP/1.1" 20@ 5651 
c/github.png HTTP/1.1" 200 1571 
lack.png HTTP/1.1" 200 7645 
witter.png HTTP/1.1" 200 6650 
-png HTTP/1.1" 200 500313 
/chrome_logo.svg HTTP/1.1" 20@ 6245 
/fonts/OpenSans-Regular.woff2 HTTP/1.1" 200 47016 
/fonts/OpenSans-Light.woff2 HTTP/1.1" 200 45900 
or.png HTTP/1.1" 200 322 
rave_logo.png HTTP/1.1" 20@ 29951 
/static/icons/manifest.json HTTP/1.1" 200 720 
/static/icons/favicon-32x32.png HTTP/1.1" 200 2985 


IN 
oo 


2° 


© 
PRP RP RP RP RRP RP RP RP RR 
DY Go et 6 PO ae 5 
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Now to start using the tool open the local host mentioned in the interface i.e - 
http://localhost:8080/ 


Depending on the operating system provide the path in the input here, 
C:\Users\HP\AppData\Local\Google\Chrome\User Data 


In the plugins selector we can select the results we want according to our requirements, 
and click on RUN to start gathering information. 


€ > S QO localhost:8080 Gear 4+Ox 


Hindsight 
Hindsight 
Web Artifact Analysis 


Hindsight is a free tool for analyzing web artifacts. To get started, select the Input Type’ below and fill out the ‘Input Path’ 
field. Review the plugins and options on the right, and hit the 'Run' button at the bottom. 


Plugin Selector 
Profile Path: Chrome Extension Names 
Input Type: {Chrome v| |{C:\Users\HP\AppData\Local\Google\Chrome\User Data [v20210424) 
~, Generic Timestamp Decoder 
Cache Path: [v20160907 
|(optional - only needed if outside of the profile path) Google Analytics Cookie Parser 
[v20170130 
Google Searches [v20160912] 
Description: Chrome is a free web browser from Google that runs on Load Balancer Cookie Decoder 
Windows, macO$S, Linux, ChromeOS, iOS, and Android. Each user's [v20200213 
web history and configuration information is stored under their user Quantcast Cookie Parser 
directory, so there may be multiple sets of browser data on the [v20160907 
system. Query String Parser (v20170225] 
Time Discrepancy Finder 
Available Decryption: Windows © Mac © Linux [v20170129 
€ > GS QO localhost:8080 cen @auaBGna A 
Input Type: Chrome v [C:\Users\HP\AppData\Local\Google\Chrome\User Data ** [v20210424) 
Generic Timestamp Decoder 
Cache Path: ¥20160907) 
(optional - only needed if outside of the profile path) Google Analytics Cookie Parser 


v20170130) 

Google Searches [v20160912) 
Description: Chrome is a free web browser from Google that runs on Load Balancer Cookie Decoder 
Windows, macOS, Linux, ChromeOS, iOS, and Android. Each user's 20200213} 
web history and configuration information is stored under their user € Quantcast Cookie Parser 
directory, so there may be multiple sets of browser data on the v20160907] 


s 


system. Query String Parser (v20170225) 
Time Discrepancy Finder 
Available Decryption: Windows © Mac © Linux\ v20170129] 
Default Locations: Options Selector 
Windows XP: \[userdir]\Local Settings\Application Log Path: (hindsight. log 
Data\Google\Chrome\User Data Timezone:(Paciie ESFTI =} 
Vista/7/8/10/11: \[userdir]\AppData\Local\Google\Chrome\User Data : z 
; : : Copy files before opening? 
Linux: \[userdir]/.config/google-chrome Temp LL 
\[userdir]/Library/Application hindsight-temp 
: Path: 
oSnmeto= Support/Google/Chrome/Default J 
ios: \Applications\com.google.chrome.ios\Library\Application an 
, Support\Google\Chrome ee 
Android: /userdata/data/com.android.chrome/app_chrome 
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In the result summary we can see the parsed artifacts, profile paths 


Hindsight 


Input 
Path: 
Input 
Type: 
Profile 
Paths: 


All the result is shown on the interface, result can be save as excel sheet,json file or sql 


DB file. 


Results 


C:\Users\HP\AppData\Local\Google\Chrome\User Data 


Chrome 


C:\Users\HP\AppData\Local\Google\Chrome\User Data\Default 
C:\Users\HP\AppData\Local\Google\Chrome\User Data\Guest 
Profile 

C:\Users\HP\AppData\Local\Google\Chrome\User Data\Profile 1 
C:\Users\HP\AppData\Local\Google\Chrome\User 
Data\Snapshots\108.0.5359.126\Profile 1 
C:\Users\HP\AppData\Local\Google\Chrome\User 
Data\Snapshots\109.0.5414.121\Default 
C:\Users\HP\AppData\Local\Google\Chrome\User 
Data\Snapshots\109.0.5414.121\Profile 1 


C:\LIsers\HP\AnnNata\l acal\Gansle\Chrame\|Iser 


This PDF document was edited with Icecream PDF Editor. 


Upgrade to PRO to remove watermark. 


Hindsight - Web Artifact Analysis 


Parsed Artifacts 
Detected Chrome 
version: 

URL records: 17308 
Download records: 4253 
Cache records: 0 
Cookie records: 4400 

Local Storage records: 5805 


107-111 


Autofill records: 74 

Login Data records: 16 

Preference Items: 1677 

Session Storage 1159 
records: 

Site Characteristics 0 
records: 


HSTS records: 593 


Save XLSX || Save JSONL |[ Save SQLite DB | 


Q = © Localhost:8080/results Ger a @ 


VJESSIVIT SLUT ase 


e C:\Users\HP\AppData\Local\Google\Chrome\User retords: 1159 
Data\Snapshots\108.0.5359.126\Profile 1 Site Characteristics 

¢ c:\Users\HP\AppData\Local\Google\Chrome\User records: 0 
Data\Snapshots\109.0.5414.121\Default HSTS records: 593 


¢ C:\Users\HP\AppData\Local\Google\Chrome\User 
Data\Snapshots\109.0.5414.121\Profile 1 

e c:\Users\HP\AppData\Local\Google\Chrome\User 
Data\Snapshots\110.0.5481.180\Default 

¢ C:\Users\HP\AppData\Local\Google\Chrome\User 
Data\Snapshots\110.0.5481.180\Profile 1 

e C:\Users\HP\AppData\Local\Google\Chrome\User Data\System 
Profile 


Save XLSX || Save JSONL |] Save SQLite DB 


View SQLite DB in Browser 


Start New Analysis Session 


Plugin Results 
Chrome Extension Names [v20210424): - 31 extension URLs parsed - 


Generic Timestamp Decoder - 0 timestamps parsed - 


20160907]: 
Google Analytics Cookie Parser : 
pOITOISOL: 0 cookies parsed 
Google Searches [v20160912): - 1913 searches parsed - 


Load Balancer Cookie Decoder ‘ 
- 0 cookies parsed - 


20200213]: 

Quantcast Cookie Parser [v20160907]: - 0 cookies parsed - 
Query String Parser (v201 70225]: - 8515 query strings parsed - 

Time Discrepancy Finder [v20170129): - 0 differences parsed - 


We can also see the database in the browser and can run queries to extract desirable 
data from the database- 


SELECT title] FROM ‘timeline’ LIMIT @,30 
(Execute | 
type timestamp url title value interpretation profile 
bookmark 2015-07-04 07:43:0... http://www.indianr... Welcome to Indian ... Synced > Mobile bo... null C:\Users\HP\AppDé 
bookmark 2016-12-01 07:16:1... https://www.facebo... www.facebook.com Synced > Mobile bo... null C:\Users\HP\AppDe 
bookmark 2016-12-04 05:30:1... chrome://help/ About Synced > Mobile bo... null C:\Users\HP\AppDé 
bookmark 2017-06-07 01:56:1... htt: - 1, Synced > Mobile bo... null C:\Users\HP\AppDé 
bookmark 2017-06-17 22:15:5... https://www.iret=.. Louw ricket- rasse... Synced > Mobile bo... null C:\Users\HP\AppDe 
bookmark 2017-06-17 22:23:2... javascript:function ... Magic Autofill Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2017-11-09 05:28:3... https://www.tutoria... Computer Program... Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2017-11-09 05:38:0... https://www.inform... Informationvine.com Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2018-01-12 08:23:1... https://www.hacker... Welcome to Online ... Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2018-01-12 08:38:5... https://www.codec... Learn Python | Cod... Bookmarks bar null C:\Users\HP\AppDe 
bookmark 2018-04-09 08:44:1... https://www.javatr Tnline exam projec... Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2018-10-30 06:43:1... Attnv/114 954 c7 ~~ 1 &=<ed > Mobile bo... null C:\Users\HP\AppDé 
bookmark 2018-12-31 10:08:3... https://kheloindia.s... https://kheloindia.s... Bookmarks bar null C:\Users\HP\AppDe 
bookmark 2019-01-04 06:17:5... httr ~rtara  \ainat ars eo J cant... Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2019-02-14 02:37:0... https://www.1acker... Programming Tutor... Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2019-02-14 02:50:0... https://practice.gee... Course | Sudo Plac... Bookmarks bar null C:\Users\HP\AppDé 
bookmark 2019-02-14 02:50:2... https://practice.gee... Practice | Geeksfor... Bookmarks bar null C:\Users\HP\AppDé 
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SELECT title FROM ‘timeline’ LIMIT 0,30 


| Execute 


title 


Welcome to Indian Railway Passenger reservation Enquiry 
Iwww.facebook.com 

[About 

Ine Logi 

Book Ticket - Passengers Information 

Magic Autofill 

Computer Programming 

Informationvine.com 

Welcome to Online Programming 

Learn Python | Codecademy 

Online exam project in java swing without database - javatpoint 


https://kheloindia.sportz.io/Login 

What are important topics for aptitude test for campus? - Quora 

Programming Tutorials, Coding Problems and Practice Questions | HackerEarth 
Course | Sudo Placement 2 

Practice | GeeksforGeeks | A computer science portal for geeks 


timeline ¥ 


SELECT URL FROM ‘timeline’ WHERE URL = ‘https://www.facebook.com/' 


Execute 


url 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 
https://www.facebook.com/ 


In the excel result file we can see we got a lot of information related to all the 
bookmarks, URL, cache accessed and created, login information, downloads, site 
settings, session with time stamps. Other information like preferences-all profile/account 
information. 
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9.105 ct a ://he" About Synced > Mobile bookmarks 


9.817 hhr// 263 the «r? 
5.913 https// vt. Coe '@  umraiternateave _ityjsf 


AccSoft 2.0 : Login Synced > Mobile bookmarks 
Book Ticket - Passengers Inforn Synced > Mobile bookmarks 


Filter by Color BLES [fesccaiey. iy) OS pyid-false;tony 2° *h+s)fif{(c| Magic Autofill Bookmarks bar 
hai tacs , 3694 https://w ow canasne —_gantr ooo _f miter aver Programming Bookmarks bar 
= 7.563 https://www' * * _....wuiViNe.Cuny muex?gsrc=9998.qo=sernuueryead=se Informationvine.com Bookmarks bar 


earch 2 9.896 https://we aus Welcome to Online Programmi Bookmarks bar 
[A cookie (accessed) A 2.772 hitpsi//- syn Learn Python | Codecademy Bookmarks bar 
A cookie (created) 5.270 https:/, 1p wisinwens-¢ Online exam project in java swi Bookmarks bar 


download la.sa7 lie, teen = aspx AccSoft 2.0 : Attendance Status Synced > Mobile bookmarks 
a rei cua 9.659 https://kheloindia. sportz.io/Lo, Bookmarks bar 
[ preference (session) 0,972 » euora.com/What-are-i~ _. .wiit-topics-tor-aptitude-test-t » What are important topics for «Bookmarks bar 
Y site setting (engagement) 0.529. https:/) www.natnercerncom’ ue/ Programming Tutorials, Coding Bookmarks bar 
site setting (nsts) Y 2.468 https Varsntin= rman to nureaelendantaramant.2vC=1 Course | Sudo Placement 2. Bookmarks bar 
0.035 https://prax eke TRIS AABN mm Om Practice | GeeksforGeeks | Acc Bookmarks bar 


(FT Feat) 4.216 rene rt waltaatamdnee! Amdocs Archives - GeeksforGec Bookmarks bar 
2.080 https.,, wine ivan *. ® id _ cee sereeen ‘pattern code Bookmarks bar 
22 |bookmark 2019-02-15 01:16:09.518 amdocs free course Bookmarks bar 
23 bookmark 2019-02-15 01:37:35.771 * -vmomatio. ¥_ prepinsta placement question ¢ Bookmarks bar 
24 bookmark 2019-02-15 01:56:43.931 httn-/ indanline-test /it-comnanies-anline--" .. at t AMDOCS Online Mock Test Frei Bookmarks bar 
25 bookmark 2019-02-26 09:07:27.493 ve L&T Infotech Test Pattern - Wri Bookmarks bar 
26 bookmark 2019-03-14 08:38:11.869 ne Online Submission of Applicatic Bookmarks bar 
27 bookmark 2019-03-15 00:18:31.728 h mies ” ONLINE APPLICATION Bookmarks bar 
28 bookmark 2019-03-18 01:06:53,560 https. , t= wrMginr leas f “Indian Navy Recruitment 2019 Bookmarks bar 
29 bookmark 2019-04-10 10:31:09.471 https://_.-- 2 nena eye eee ee LT TTIT ete) Infosys OffCampus Drive . »r 20 Bookmarks bar 
30 |bookmark 2019-05-13 12:02:09.208 |.-,_."’ o= -OFE.COM/ AMP/ 9) WwevE.BLvneleigeemnuigy emauesesnne LiMmuEeroucs wine + wirsONS O Synced > Mobile bookmarks 
> Timeline Storage | Installed Extensions Preferences (Default) Preferences (Guest Profile) Preferences (Profile 1) .. @) ‘ » 


3 Adblock Plus - free ad blocker Block YouTube™ ads, pop-ups & fight malware! 3.16.2 Che 88 daihe'-eddilifda Default 
4 |GHunt Companion Load all needed cookies to use GHunt peacefully. 2.0.0 ©. de tpn -. ‘abo tos jab Default 
5S (Adobe Acrobat: PDF edit, conver Do more in Google Chrome with Adobe Acrobat PDF tools. View, fill, comm 15.1.3.43 «f° ' 4 a a y Default 
6 Google Docs Offline Edit, create, and view your documents, spreadsheets, and presentations — 1.60.0 ae i 8 1 bill ae a i Default 
7 Google Input Tools Input Tools lets you type in the language of your choice. 10.2.0.2 ae ie, 0 "ace Default 
8 |Chrome Web Store Payments Chrome Web Store Payments 1.0.0.6 me uy ‘i vic. icy Default 
9 Google Docs Offline Edit, create, and view your documents, spreadsheets, and presentations — 1.50.1 ghomion 7 mower Profile 1 
10 Chrome Web Store Payments Chrome Web Store Payments 1.0.0.6 numh lagen” rr rc Profile 1 
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4. Unfurl - 


Unfurl is used to extract and visualize all possible data from URLs. 


Unfurl takes a URL and expands it into a directed graph, extracting every bit of 
information from the URL and exposing the hidden. 


Unfurl breaks up an URL into components and extracts as much information as it can 
from each piece, and presents it visually. 


Features- 


e Unfurl has parsers for URLs, search engines, chat applications, social media sites, 
and more. 
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e ltalso has more generic parsers (timestamps, UUIDs, etc) helpful for exploring new 
URLs or reverse engineering. 

e Even if the URL is extracted from a memory image or carve from slack space, or pull 
out from a browser's history file, this tool can provide every bit of information it can. 


We can get the tool from the github page- 
https://github.com/obsidianforensics/unfurl 


Either we can use it online or we can install it locally on our console 


Se (GS) fa) @ github.com/obsidianforensics/unfurl & 


[= README.md 7 


How to use Unfurl 
Online Version ib 
1. There is an online version at https://dfir.blog/unfurl. Visit that page, enter the URL in the form, and click ‘Unfurl!". 


2. You can also access the online version using a bookmarklet - create a new bookmark and paste 
javascript:window. location.href="https://dfir.blog/unfurl/?url='+window.location.href; as the location. 
Then when on any page with an interesting URL, you can click the bookmarklet and see the URL “unfurled”. 


Local Python Install tL 


1. Install via pip: pip install dfir-unfurl 
After Unfurl is installed, you can run use it via the web app or command-line: 


1. Run python unfurl_app.py 
2. Browse to localhost:5000/ (editable via config file) 
3. Enter the URL to unfurl in the form, and ‘Unfurl!’ 


OR 


1. Run python unfurl_cli.py https://twitter.com/_RyanBenson/status/1205161015177961473 


2. Output: 


[1] https: //twitter.com/_RyanBenson/status/1205161015177961473 
/-(u)-[2] Scheme: https 
[-(u)-[3] twitter.com 
Fu)-[5] Domain Name: twitter.com 
U(u)-[6] TLD: com 
“(u)-[4] /_RyanBenson/status/1205161015177961473 
Leu\-171 14+ RvanRenson 
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All the modules here we can see, it can parse data from any type of source — general URL, 


search engines, from social media or any videos, IDs(UUID, tiktok ID), timestamps etx. 


unfurd 


Welcome to Unfurl! Here are some examples: 


General URL- (simple link, complicated link, short link etc.) 
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Unfurl! 


Welcome to Unfurl! Here are some examples: 


e Simple URL (https://www.example.com/path/index.html? 
a=1&b=2) 


© Complicated Domain 
(https://ryan:P@s$WoOrd!@my.dfir.blog:8080/unfurl) 


e Magnet Link (magnet:? 
xt=urn:btih:c9e15763f722f23e98a29decdfae34...) 


e¢ Mailto: Link (mailto:to@example.com? 
cc=cc@second.example&bcc=bcc...) 


e Punycode Domain (https://www.xn--85x722f.com.cn) 
e Shortlinks (https://t.co/QPs812NVAW) 


Simple URL- scheme, domain information, subdomain, TLD, URL path segment, parsing 
function, URL query. 


https:/www.example.com/path/index.html?a=1 &b=2 


www.example.com 


/path/index.html 


Subdomain: www} Domain Name: example.com 2: index.html 


Domain is on list of RFC 
6761 Special-Use Domain 
Names 


Domain is extremely 
Bonen aa in "Top File Name: index) File Extension: htm) 
1000" lists) 


Complicated URL - getting host details 
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https://ryan:P@s$WoOrd!@my.dfir.blog:8080/unfurl 


Scheme: https al a 


Password: P@s$WoOrd! Host: my.dfir.blog Port: 8080 


Domain Name: dfir.blog TLD: blog 


Short links- details about domain, host details, expanded URL and the website used, 
creation time, UUID generated, URL path etc. 


https. co/OP's8 12NVAW | 
[reo GPeBIAVAW) 
Domain Name: t.co TLD: co htipe vole yr = 
Domain is on ist of Domain is extremely 
known URL Shorteners: popular (found in "Top. Scheme: https: bit! 
ronan (Sea No are] 
Creation Ty pir, rater conv 
= oa 
TLD) 2020-08-31 18:51:56 Uabosdun-oraecavee owed 10 
7a454451 
Dornain is on list of Domain is extremely 
krewn URL Shortenars | pope ound in Top ini mt 
domains ists) > 


[FED com) WUD eabedtaa OTHE abba Deeb aTATSNET 


Domain is lar (found Version 4 UUID i 
were 


UUID- Mac address, timestamp, vendor 
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a28cad70-0d73-11ea-aaef-0800200c9a66 


Version 1 UUID is based Time generated: MAC address: 
on time and MAC address 1574460088775.0 08:00:20:0C:9A:66 


2019-11-22 22:01:28.775 


Vendor: Oracle Corp 


Searching for some URL to see what this tool will provide information — 


1. https://pixabay.com/photos/tree-sunset-clouds-sky-silhouette-736885/ 


unfurd 


https://pixabay.com/photos/tree-sunset-clouds-sky-silhouette-736885/ 


https://pixabay.com/photos/tree-sunset-clouds-sky-silhouette-736885/ 


/photos/tree-sunset-clouds-sky-s 
ilhouette-736885/ 


> 
tree-sunset-clouds-sky-silhouette 
-736885 


Domain Name: pixabay.com 


Domain is extremely 
eats in "Top 
1000" lists) 
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2. httos:/Awww.pexels.com/video/plants-clinging-by-the-tree-branches-in-a-forest- 


2882118/ 


https://www.pexels.com/video/plants-clinging-by-the-tree-branches-in-a-forest-2882118/ Unfurl! 


https://www.pexels.com/video/plants-clinging-by-the-tree-branches-in-a-forest-2882118/ 


/video/plants-clinging-by-the-tree 
branches in-a forest 2080718) 


2 
lants-clinging-by-the-tree-branc 
Us haar eet Bae Ie 


Domain Name: pexels.com 


oolaane 
ular in "To 
co F008" lists) 2 


3. https:/Awww.youtube.com/watch?v=LIKH82gL3R8 


https://www.youtube.com/watch?v=LiKH82gL3R8 Unfurl! 


https:/Avww.youtube.com/watch?v=LiKH82gL3R8 


v=LIKH82gL3R8 


v: LIKH82gL3R8 


Domain Name: youtube.com 


Domain is extremely 
popular (found in "Top 
1000" lists) 


Domain is on list of 
known Google domains 


Video ID: LIKH82gL3R8 
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4. https://scontent.fnag11-1.fna.focdn.net/v/t39.30808- 
6/336669761_ 2080672178808580 3494805194198427251 n.jpg? nc cat=107&cc 
b=1- 
7& nc sid=730e14& nc ohc=EoPLxRhhtWcAX CkxhN& nc_ht=scontent.fnag11- 


1.fna&oh=00 AfCgBvrVdy60Bex25aj6 GQMqWHCDXLAQfINVZ56C6fxEtcQ&0e=643 
907A5 


LA TT FT WA TFT SD 


https://scontent.fnag11-1.fna.focdn.net/v/t39.30808-6/336669761_2080672178808580_3494805194198427251_n. |Unfurl! | 


hitips:7/scontent fnagi1-1.fna focdn netivit39 30808-6/33668976 1_2080672178808580_3494805194198427251_n jpg?_nc_cat=107&ccb=1-78 nc_sid=730e148_nc_oh 
C=EOPLRMMIWCAX _CkxhN._ne_ht=scontent magi! 1 nash 00, AICBYrVay60Bex25q ajSGUNGWHCOXLAGMZS6COREISO 


eal 07 Seeba1-TA_ne_aedaTa0e148_ne ohe=Eoe 
os figs 30008 a335668764 2080 ainnvone Chania e Fisscontent hag -t nese 
= a h=00_AfCQBviVdy60Bex25aj6GOMqWHCOXLAQINVZS 
ain is 6COfxEtcO&0e=643907A5 


TLD: net tv 2: 139,30808-6 395689781, z0d0s72 Ler| ne _cat: 107) cob 7 Tne_sid: 730014 Rees, “Tnc_hi; scontent fnagii-1.fnd 00_A{CgBur vse y25a)6GOM 08 64390705 
ey Game) [seam aria crust cn nds 
Cisco "Type 7" password encoding is based } 
on XOR and is easily reversible [ref]. 
336669761, 2080672178800500) (Fike Extension” pa [ (aaoais 07 S029 
"3494805194198427251_n ____-______ as 


5. Browser History Viewer- 


Browser History Viewer is a forensic software tool by Foxton Forensics for extracting 
and viewing internet history from web browsers like fire fox, chrome, edge, internet 
explorer etc. 


Features- 


e Website Activity Timeline- Identify peaks in internet activity using the interactive 
timeline. 

e Filtering- Find relevant data faster with filtering by keywords and date/time range. 

e Cached Image Gallery- Browse the images a user has viewed online using the built- 
in image gallery. 


The examiner premium version has some additional features- 


e Remote data capture 

e Recover deleted history 

e Cached web page viewer 

e Advanced filtering & searching 
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Can download the tool from — 


https://www.foxtonforensics.com/browser-history-viewer/download 


Here we can filter by keyword, timestamp, by browser — 


@ Browser History Viewer 
File Options Filter Help 


= a 
Website History | Cached Images 
. Filter by keyword 
Date Visited Tite URL Visit Count Calculated Visit Count Web Browser (Profile) lad 
Filter by date 
From: Select adate ff5] 
To: Selectadate ffs) 
Filter by web browser 
Ae 
www foxtonforensics.com 
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From file select — load history — choose the appropriate option. 


@& Browser History Viewer - Load History 


© Load history captured using the Browser History Capturer tool 


Select “Capture” folder 


@ Load history from Windows user profile 
Select user profile folder (For example: C:\Users\Admin) 


C:\Users\HP 


© Load history manually 
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Load 


This tool retrieves all the history data with the time stamp and provides the no of counts, 
the graph of website visit count with times stamp. 


® Browser History Viewer - fa] x 
File Options Filter Help 
Website History | Cached Images 


¥ Filter by keyword 
Date Visited Title URL Visit Count Calculated Visit Count Web Browser (Profile) 
17/11/2023 05:03:32 Project 15: Using ProDiscover Basic Edition (20 Points) ipssseietis <=" ‘=rai/p15-pd-installintm lo 7 Edge (Default) |- 
10/11/2023 12:51: Project 15: Using ProDiscover Basic Edition (20 Points) https://samsclass.info/121/proj/p15-pd-trs. WJ 7 Edge (Default) 
10/04/2023 13:21:16 Fusssiessusesas soon z EP | 2 [Chrome (Default) 
10/04/2023 13: ttps://www.foxtonforensics.com/download.aspx?id=ba69b266c4] 2 2 Chrome (Default) 
10/04/2023 13: ‘/eeww foxtonforensics.com,| 1 1 Chrome (Default) Filter by date 
10/04/2023 13:21:08 https://mail.google.com/mail/u/0/#inbox/FMtcgzGsitRXgmHQ: 1 Chrome (Default) 
10/04/2023 13:21:06 en ail IV inh Chrome (Default) From: Orian-23 faa] 
10/04/2023 13:21:02 a Tesoins enw, ne //mailkgoogle.com/mail/u/O/#inbox/FMfogzGsitRxMer™ =. [1 1 Chrome (Default) 
10/04/2023 13:20:55 = Onion hitpsy//mail.guryn. _——/ail/a/nsink 23 27 Chrome (Default) eS. 
10/04/2023 13:20:51 jis: sais range i : 0” 3 1 [Chrome (Default) ig orfeb-23 Gis) 
10/04/2023 13:20:25 nae la Chrome (Default) 
10/04/2023 13:20:19 Co . T= Grail |, ev sremgerryre evr 1 2 Chrome (Default) 
10/04/2023 13:15:21 Browser History Vi__~watttoad | Foxton Forensics https://www.foxtonforensics.com/browser-history-viewer/downlo |2 2 Chrome (Default) | 
10/04/2023 13:15:13 Browser History Examiner - Download | Foxton Forensics https://www.foxtonforensics.com/browser-history-examiner/dows | 2 2 Chrome (Default) Filter by web browser 
10/04/2023 13:15:08 Browser History Examiner - Download | Foxton Forensics nttps://www.foxtonforensics.com/browser-history-examiner/dowr | 2 2 Chrome (Default) 
10/04/2023 13:14:51 Browser History Viewer - Download | Foxton Forensics https:/Awew.foxtonforensics.com/browser-history-viewer/downlo |2 2 Chrome (Default) All = 
10/04/2023 13:09:56 Browser History Viewer - Free tool to view web browser history _ | https/Avww.foxtonforensics.com/browser-history-viewer/ 1 1 Chrome (Default) 
10/04/2023 12:25:06 Gu now = UOSIOIANTOFENSICS/UNTUTE EAU aA sain Alize Data from] heen tick mom (omni and uu 4 Chrome (Default) 
10/04/2023 12:25:05 Gers - hain san ek an WisuanZe Ve, “~~! httos://aithub.com/obsidianforensics/unfie u 14 Chrome (Default) | 
Filter Reset 
[<< ][< ][> | [be] pane 1 ot 277 Viewing 12815/13815 records 
Website Visit Count - 11-05-2022 to 11-11-2023 

40005 
30007 
2000+ 
1000+ 

oF 


May 2022 Jun 2022 "jul 2022 Aug 2022 Sep 2022 Oct 2022 Nov 2022 Dec2022 Jan 2023 Feb 2023 Mar 2023 Apr 2023 May 2023 Jun 2023 "Jul 2023 Aug 2023 Sep 2023 Oct 2023 "Nov 2023 


www.foxtonforensics.com Time zone: UTC 


If we want to look for particular thing in a particular timeline then we can search in the 
keyword box by providing the desired timeline- 


‘@& Browser History Viewer - a x 
File Options Filter Help 
Website History | Cached Images 


Date Visited” Title URL Visit Count Calculated Visit Count Web Browser (Profile) ely bono 
Project 15: Using ProDiscover Basic Edition (20 Points) Pisprory ourrnreneoarrey r= ”**/015-pd-install. htm lo 7 Edge (Default) |- 
10/11/2023 12:51:37 Project 15: Using ProDiscover Basic Edition (20 Points) https://samsclass info/121/proj/p15-pd-acan.nin lo 7 Edge (Default) 
10/04/2023 13:21:16 iss 3s oi Tae | 2 Chrome (Default) 
70/04/2023 13:21:11 Foxton Forensics - Download nttps://Awww foxtonforensics.com/download aspx7id=ba69b266c4|2 B Chrome (Default) 
10/04/2023 13:21:11 Foxton Forensics - Download .google.com/url?q=https://www.foxtonforensics.com,|1 1 Chrome (Default) Filter by date 
© Browser History Viewer = a x 
File Options Fitter Help 
Website History | Cached Images 
Date Visited” ‘Title URL Visit Count Calculated Visit Count Web Browser (Profile) Soest’ 
30/01/2023 12:26:32 investment fraud - Google Search bong TU Donal cnm/searchiqe vinvertmant * i2 1 Edge (Default) “ 
30/01/2023 T,-— —! Fraud | Investor.gov nttps/Awmwinveste... a" urine 1 Edge (Default) 
30/01/2023 f —FreudAware https://vww.fbi.gor md 1 (Defeuit) 
30/01/2023 aaa na of Investment Fraud | FINRA.org [https://www.fir = 1 
30/01/2023 Fraud:C.= Se | https » f°. 8 1 
30/01/2023 ‘commission based investment fraud - Google Search httpsy/Avwws ve 2 1 
30/01/2023 09: investment fraud - Google Search hitps/Awewguges ott’ 4s er 3 7 Edge (Default) [ormay22 ie 
30/01/2023 09:49:09 ia ~ “Investment Fraud https //dfiwag _unancial-ete ort 1 4 (Default) 
30/01/2023 09:45:38 iw 2A Fraud be MRE https/Avmwauraconyreaytypes-of ar + _uds 1 1 ees 
30/01/2023 09:45:34 Financial fraud - fectoee = LT, Tensor = [https//cleartax.in/g/term= 1 1 O1-Feb-23 
30/01/2023 09:45:27 financial fraud - 7 ~="~ == nttps://Awmw.google.com/« wef 2 1 Edge (Default) 
30/01/2023 09:44:49 (Online Fraud — Kn. = otinn [httpsy/Awewbajajfinservin’ on[t 1 (Defauit) 
30/01/2023 09:44:43 what is online financial fraud - Google Search Bye met = areas 2 1 
30/01/2023 09:44:16 ‘online financial fraud - Google Search https/www.googlecom/search?= + 52 4 1 Filter by web browser 
30/01/2023 09:44:05 financial fraud - Google Search ttps/Awmw.google.com/search?qs fino... me | 2 1 
30/01/2023 06:07:41 hin an atin eneee tet https://docs.maltego.com/support/sol x 2 1 Edge (Default) Al : 
30/01/2023 06:07:41 Maltann IDAwalitvrnre Trancfor= https://docs maltego.com/support/so. ¢ 4140/2 1 Edge (Default) 
30/01/2023 060731 Maltego IPQualityScore Transforms : Maltego Support Inttps//d0cs maneQuewray meee en 1 
_ 30/01/2023 06:07:10 A Neo aes Ie i i eae Saeala 1 E 
[<<] <|[ > | [>> Page 1 of 1 Viewing 40/13815 records ies Reset —_ 


Website Visit Count - 19-01-2023 to 30-01-2023 


207 
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All the cached images with details- 


@ Browser History Viewer 
File Options Filter Help 
Website History Cached Images 


Firefox (ein4amywm.defe 


Last Fetched | Filename URL Fetch Count _File Size (Bytes) Web Browser (Profile) 
09/04/2023 08:09:59 https://adservice.google.co.in/ddm/is/p/src= 1295336:type=csic |https://adservice.google.co.in/ddmy/fis/p/src=1295336itype=csic:| 1 4 Firefox (elndmywm.defi| = 
09/04/2023 08:09:59 https://adservice.google.co.in/ddm/fis/p/src=1295326:typ 1 
a ro cheese 
09/04/2023 08:08:02 img.png?cnx=782ec17960dcBdtMda63badbaca3d8t nttps://d9.flashtalking.com/ima/img.png?cenx=782ec17960dc8dr| 1 70 Firefox (elnamywm.defe 
(09/04/2023 08:08:00 gradient 728x90.png [nttps://cdn flashtalking.com/116264/3990095/images/gradient_;| 1 6175 Firefox (elndmywm.defi 
09/04/2023 08:08:00 Group171472.png nttps://edn.flashtalking.com/116264/3990095/images/Group171| 1 20165 Firefox (ein4mywm dete 
09/04/2023 08:08:00 Desktop_Acrobat ARed FullBleedVERB.png nttps://cdn flashtalking.com/116264/3990095/images/Desktop_/| 1 20955 Firefox (elndmywm.defe 
09/04/2023 08:08:00 [https://edn flashtalking.com/116264/3990095 /images/MaskGrou| 1 (8387 Firefox (elndmywm.defi 
icone.png?EDAA_icon=y /https://secure.flashtalking.com/oba/icon/iconc.png?EDAA_icon=|1 1308 


(09/04/2023 08:07:59 


ssumer-privacy-logo.png http 


09/04/2023 08:07:58 


gen_204?id-=xbid&idbm_b=AKAmf-BILY 19FVNSwTacRWYWaWY2 |https://pagead2.googlesyndication.com/pagead/gen_204?id=xb 


Firefox (ein4mywm dete 


09/04/2023 08:07:57 
09/04/2023 08:07:56 


halo_match?id=undefined@rhalo_id=0609fkgahcc6jShefbiicc966c | https://ids.ad.gt/api/v1/halo_match?id=undefined&halo_id=060' 


Firefox (elindmywm.defe 
Firefox (eindmywm.defe 


09/04/2023 08:07:56 
09/04/2023 08:07:55 


hi 
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www. foxtonforensics.com 


favicon_512.png?2015 nttps://ednssl softpedia.com/_img/favicon_512.png?2015 
favicon.ico Ihttps://ednssl.softpedia.com/_img/favicon.ico 


ittps://windows-cdn.softpedia.com/screenshots/ico/Alienyze prv| 1 


Firefox (ein4mywm.dete 


Firefox (elndmywm.defé 


Viewing 765/765 records 


a i 


Ss 


Time zone: UTC 


Read More About Browser Forensics With Myanmar Language 


(www.forensicsmyanmar.com) (Aung Zaw Myo) 


1 - https://archive.org/details/clear-browsing-data-forenscis 


2 - https://archive.org/details/browser-forensics 
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Filter by keyword 


Filter by date 


From: Select a date 


To: Select a date 


Filter by web browser 


